[dns-operations] Another possible .gov validation problem?
Mark Andrews
marka at isc.org
Sat Feb 12 08:36:48 UTC 2011
In message <7FC8D4F4-3D71-4A3F-BA2A-25496572135A at nxdomain.com>, Cricket Liu wri
tes:
> I'm seeing what looks like another validation problem in .gov, but (I think)
> due to problems below nasa.gov.
>
> When I try to resolve atmos.pds.nasa.gov, I get a validation failure. BIND (
> 9.7.2) logs the following:
>
> Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG
> ) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.181#53
> Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG
> ) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.189#53
> Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG
> ) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.185#53
> Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid DS) r
> esolving 'atmos.pds.nasa.gov/A/IN': 198.116.4.181#53
> Feb 11 21:33:42 bigmo named[67012]: dnssec: info: validating @0x8373000: atmo
> s.pds.nasa.gov A: bad cache hit (atmos.pds.nasa.gov/DS)
> Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (broken trust c
> hain) resolving 'atmos.pds.nasa.gov/A/IN': 198.116.4.185#53
>
> Apparently BIND is expecting pds.nasa.gov to be secure, but it's not:
>
> $ dig @ns1.nasa.gov. any pds.nasa.gov. +norec
>
> ; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. any pds.nasa.gov. +norec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60070
> ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3
>
> ;; QUESTION SECTION:
> ;pds.nasa.gov. IN ANY
>
> ;; ANSWER SECTION:
> pds.nasa.gov. 3600 IN A 128.149.132.22
> pds.nasa.gov. 3600 IN NS ns3.nasa.gov.
> pds.nasa.gov. 3600 IN NS ns1.nasa.gov.
> pds.nasa.gov. 3600 IN NS ns2.nasa.gov.
> pds.nasa.gov. 3600 IN SOA ns1.nasa.gov. dns.nasa.gov. 200
> 8041906 10800 3600 604800 86400
>
> Note the absence of a DS RR.
>
> However, an explicit query for a DS RR returns something surprising:
>
> $ dig @ns1.nasa.gov. ds pds.nasa.gov. +norec
>
> ; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. ds pds.nasa.gov. +norec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3502
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;pds.nasa.gov. IN DS
>
> Note the NXDOMAIN RCODE.
>
> The response to a DNSKEY query looks saner:
>
> $ dig @ns1.nasa.gov. dnskey pds.nasa.gov. +norec
>
> ; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. dnskey pds.nasa.gov. +norec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30896
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;pds.nasa.gov. IN DNSKEY
>
> Any chance the weird DS response is throwing the validator off? Or is there
> something else wrong that I haven't spotted?
pdl.nasa.gov. 14400 IN NSEC people.nasa.gov. NS RRSIG NSEC
pds.nasa.gov does not exist according to nasa.gov. Looks like someone forgot
to add the delegation. The only reason named gets this far is the zone
is served by the same servers as nasa.gov.
> cricket
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list